GCM API Key restriction - ionic-framework

I try to send a push notification using ionic cloud, but Google now requires a restriction key . I don't know how to get key restriction. Please help me.

Update: There is now a visible note in the GCM docs saying:
Starting from Sept. 2016 new server key can only be created in the Firebase Console using the Cloud Messaging tab of the Settings panel. Existing projects that need to create a new server key can be imported in the Firebase console without affecting their existing configuration.
There have been recent changes with regards to the Google Developers Console interface when generating an API Key. Before there used to be a part where you have to select what type it is (Server, Android, iOS, Browser keys). But now, it automatically creates then you can simply select the type of restriction you want, depending on where you'll use the key.
I haven't tried using Ionic before, but I think it's pretty much the same where you'll use the API key (in this case, the Server Key). Simply set the correct server IP Address in the IP address whitelist and try again.
Do keep in mind that adding restrictions are highly encouraged for your security against unauthorized use and quota theft (seen as a warning for API keys with no restrictions).
See my answer here for more details.

Related

How do I avoid downtime when "upgrading" an Azure static web app to use FrontDoor?

I have a static web app to which I have mapped the domains [domain].se and www.[domain].se. The domain is managed in Azure.
The problem I'm facing is redirecting all calls to [domain].se to www.[domain].se
Since I couldn't come up with any solution to redirecting http traffic from [domain].se to www.[domain].se using a static web app (other than setting up an additional standard web app on [domain].se that manages redirects), I enabled the "Enterprise-grade edge" feature (which by the way is a very silly name) to be able to use FrontDoor.
When attempting to add the domain to the frontdoor resource, there is an error message telling me that it's already mapped to something (which is correct - the site that I want frontdoor to manage).
When trying to remap [domain].se (and www.[domain].se) to the front door endpoint (select Azure resource in the DNS zone manager), the frontdoor resource is not available.
The issue could probably be resolved by simply removing the current records from the name server and then add a cname record to point it to the frontdoor endpoint.
Two reasons not to do that:
1: It would cause downtime.
2: It feels like a hack. Stuff genereally work better when they are used the way they were expected to when developed. I want the platform to recognize what things are connected in order to avoid future issues.

How do you save API keys without exposing them in the first place?

If I save API keys to Flutter_secure_storage, they must be exposed in the first place. How could they be pre-encrypted or saved to secure storage without exposing them initially?
I want to add a slight layer of security where keys are stored securely, only to be exposed when making an API call. But if I have keys hardcoded then they are exposed even if only at initial app run. How do you get around this logic?
To avoid exposing API key, you should store keys in a '.env' file and use flutter_dotenv package to access it while making API calls. Although this method will not help when making API call. If you really want to secure exposing keys, you should move the API calls to the backend so those network calls cannot be seen by the client.
If this is a web project, you could use something like base64 on both ends, then debase and save like this:
SERVER ON PHP
apiKeyEncoded = base64_encode(apiKeyGenerator());
CLIENT:
apiKeyEncoded = await getApiKey();
apiKeyDecoded = base64Decode(apiKeyEncoded).toString(); //this is the usable one, save it.
Now, if the project is focused on mobile use, I don't think you actually need to implement this, tho the code would be the same.
I will add some input to this. I am using Parse Back4App which exposes app API keys in the same way that firebase does. I have discovered a few very important security designs which may help with this.
Client side
Don't worry about app API keys being abused. Firebase/Back4App both have some security features in place for this including DoS & DDoS security features.
Move ALL actual API calls to server and call from client via cloud code. If you want to go to the extreme, create a user-device hash code for custom client rate limiting.
Server side
LOCK DOWN ALL CLPs, ALL ACLs, basically lock ALL PERMISSIONS and ONLY allow cloud calls with heavy security checks authorized access to anything server side including outside API calls.
Make API calls from your server only. Better yet, move your API calls outside cloud calls & create "cloudJobs", these run on schedule with Back4App and you can periodically call whatever API from server. Example: a crypto currency app might update prices once per second, once per minute etc. server gets these updates and pushes to clients. No risk of someone getting your crypto API keys and running the limits.
Put in a custom rate-limiting design & design around this so your rate limits would never trip under normal circumstances. If they do trip in excess, ban user & drop their requests.
Also put API keys in .env file on server. Go a step further & use a key encryption hardware service.
It would be a tell-tale sign that your server is compromised if your API keys get abused with this structure.
Want further DoS & DDoS protection? Mirror your server a few times and create a structure whereby client requests can be redirected under attack times or non-DDos/DoS attacking clients receive new app API keys.
... I could go on and on about security & what I've learned but I'll leave it at that.

How to configure Big Blue Button for Xirsys TURN server?

I run an self-hosted instance of BigBlueButton and signed up for Xirsys TURN server services because we need to serve clients behind (pretty restrictive) firewalls. Before I had been running my own instance of coturn, but as this led to problems recently, I thought I will got someone who does this for a living a try.
Now the configuration in BBB is explained here:
https://docs.bigbluebutton.org/2.2/setup-turn-server.html
Yet so far I completely failed to match the parameters I receive from Xirsys with what I have to put into the /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml file in the place of the <turn.example.com> and <secret_value>.
Did anyone ever make this work? I did try and find a tutorial but also failed.
bbb_web, is returning this the turn uris. passwords to the html5 client, that the client is using in sip.js
so you can either get bbb-web to send valid username/passwords is same method is used, or modify the html5 client to make a Xirsys api call, to get access to the turn candidates.
Would need to look at api docs. twilio has a similar service.
regards,
Stephen
not the most elegant solution but the easiest one for me:
modify the final bbb js bundle to load the stunturn info from a fixed url in
e.g.
/usr/share/meteor/bundle/programs/web.browser/f30716b2b57e2862c4db2325 b7aac63f4622842b.js
the minified part should then look somewhat like:
const r=Meteor.settings.public.media,i='https://<yourbbburl>/html5client/stunturn.json',a=r.cacheStunTurnServers,s=r.fallbackStunServer;
and put either the static credentials or generated ones in a file stunturn.json besides the js bundle.

How do I gain access to an existing application

I have inherited an application that currently has an appId, but I need to change some of the other information. I don't know what user controls the application. How can I gain access to an existing application?
You will need to track down who is currently the admin of the app, there's no other way.
Probably you can clone git repository to your local machine -you can find address in app details. You should of course remove old ssh key and upload your public key instead - https://devcenter.heroku.com/articles/keys

Where to store key for AES_ENCRYPT in MySQL?

I develop an app for iPhone / iPod Touch which has to have access to a MySQL database. I wrote a PHP API which I can call from the iPhone app.
In the database I store sensitive data which I want to encrypt. I think I will use AES_ENCRYPT. My problem is where to store the key.
It'd be great of you have any idea where to store the key to encrypt / decrypt so that it can not be seen by any other persons, e.g. hackers.
In general:
Don't keep your key in a part of the server that the web server has direct access to. For example, if your site is in /var/www/home, don't put your key in there. Put it someplace outside the web server's part of the tree.
Make sure that the permissions on the folder containing your key are correctly set. Your PHP app needs to have READ access only, NOT write or execute on that folder (and the key file).
Make sure the server itself has a good password (long, lots of random numbers, letters, and symbols).
Make sure the server is protected by a properly configured firewall, and is kept up to date with the most recent security patches.
As for trying to keep the key and the data separate -- this is a perennial problem for which there is no very good solution. The simple fact of the matter is that your application has to have access to the key. Either that means forcing everyone who's going to use the app to memorize the key -- which is likely to lead to sticky notes on monitors in plain view -- or else it has to live somewhere that the app can find it, either on the same server or another.